Filing this as its own feature request specifically for D7, but should be decided along with the considerations regarding the D8 port.

Ref. @tshorock in #1 over at #2381729: Drupal 9 port and time to consider interoperability with TFA modules:

"It's helpful to have multiple 2FA methods interact with each other. (i.e., permit users a choice of Yubi OTP, TOTP, U2F, recovery codes, etc)."

This is important both for D7 and D8.

And high time now.

We really need to be able to set up alternative factors, and get "multi-factor" which is the next step after the 2FA move has proven insufficient (which it is, the more important your accounts and logins and web site security is for you).

I would like to have these new options:

  • yubikey-only login, but WITH an option to change to another 2FA like TOTP, SMS, DuoSecurity, etc. (So I will have 3+ alternatives set up on the account)
  • yubikey/any2FA "only", but then not instantly logged in, but generating a One-Time login link sent out by email, so that you will not get that email without having the Yubikey at hand (or other 2FA)
  • username + 2FA of my choice (OTP, TOTP, U2F, recovery codes, SMS, etc.), right there in the login screen; choose which 2FA I would like to use (no password)
  • username + password + 2FA of my choice
  • configurable option per user and as an optional site policy: YK in Challenge response mode, so that we can log in using only username or username+password, and then only get logged in IF the correct Yubikey is inserted in the computer, without the need to push the button.
  • give the emain address or user name, and then automatically get an one-time login link by email IF the challenge-response function gives a positive (if the right YK) is inserted in the USB when you give the name/email.

Comments

Leeteq created an issue. See original summary.

Leeteq’s picture

Leeteq’s picture

Btw: U2F is a challenge-response protocol which does not need a physical key press by the user. This means that for those (newer) Yubikeys that comes with U2F support, only 1 available slot is needed (for OTP), and the U2F feature is provided without taking up any of the two configurable "slots". (Edited for clarification.)

Leeteq’s picture